£1m national leaflet drop on care.data

16 October 2013Rebecca Todd

The government will spend £1m sending a patient information leaflet about the controversial care.data programme to every household in England.

As part of a joint £2m public awareness campaign being run by NHS England and the Health and Social Care Information Centre, 22m homes will receive the leaflet in January and extractions will begin in spring next year.

The total cost includes around £800,000 in funding for a helpline to answer people’s questions about the scheme, to help take the pressure off GP practices.

The A5 leaflet will not be addressed to anybody in the household, but will clearly indicate that it is from the NHS and explain how people can opt-out of their data being extracted.

Patients will have a minimum of four weeks from the time of the leaflet drop to be able to object before extracts begin, but can also opt-out after they have commenced.

The care.data programme involves taking a large monthly dataset from all GP practices covering patient demographics, events, referrals and prescriptions.

This will be linked with Hospital Episode Statistics and other data-sets to create new Care Episode Statistics, giving a more holistic view of patient journeys in the NHS.

Datasets from care.data will be available publicly in aggregate form and in pseudonymised form to commissioners and health researchers.

GPs received a letter in late August explaining care.data and telling them that they have eight weeks to inform their patients about the scheme before extractions begin. Patients can opt out of the extracts by telling their GP, who can insert a Read code in their record.

However many GPs had expressed concern that this would not be sufficient to meet their obligation to inform patients under the Data Protection Act. Some had advocated a mass opt-out of the scheme until they felt patients were properly informed.

In a press conference held yesterday, NHS England’s director of patients and information Tim Kelsey, chief data officer Geraint Lewis, and clinical and public assurance director of the HSCIC Dr Mark Davies, emphasised that the eight-week period was always a minimum and not intended to indicate that extractions would begin directly after that time.

They focused on highlighting the benefits of care.data in helping to manage the NHS by planning health services more efficiently and tracking patient outcomes. Lewis also said that individual patients would be able to download their personal confidential dataset or theograph. When asked why, he said they might choose to share this with a health professional or charity.

The speakers claimed that there has not been any ‘delay’ to the roll-out of care.data. However, NHS England’s business plan, released in April, set the target for 75% of GP practices to be providing a full extract to care.data by September 2013.

In a statement, HSCIC chair Kingsley Manning acknowledged that the benefits of care.data can “only be delivered in the context of public understanding and trust” and that feedback from doctors and the public had led the organisation to “take this more slowly”.

GPs have already been sent posters and leaflets about the programme to use in their practices and information about the scheme has been sent to 350,000 charities to share with their members. There will also be a “social media campaign”, although what this will involve was not made clear.

NHS England said the Information Commissioner's Office has endorsed the approach being taken to inform patients.

Hampshire GP Dr Neil Bhatia said the news of a leaflet drop only heightened his fears about properly informing patients about the care.data programme.

This is because his local commissioning support unit has recently started sending out patient information about the Summary Care Record. This is a completely different programme, which involves a limited patient dataset being uploaded to the NHS Spine where it can be viewed by emergency physicians involved in that patient’s care.

“Naturally patients are absolutely confused about the two, don’t know what to opt-in or out of, don’t understand the difference and don’t know if one opt out applies to the other.”

Dr Bhatia said he has been spending a lot of time explaining the difference between the two to patients and he believed that even in areas where the SCR is already rolled out, patients will still be confused.

My opinion on this is that if patients wish to use any NHS commissioned service is that data should be shared across them all as part of the agreement to use services (including the departments that want to study and plan for future care).

I accept that there will be circumstances where it would be inappropriate to for certain contacts to be shared and they should be marked as private between the clinician as long as they will not impact on care provision with other NHS commissioned service (if it is in the best interest of the patient and will benefit other NHS commissioned services it should be share regardless).

Given the lists of services, exceptional treatments and drugs etc that are denied, the millions (probably in billions given the staff expense to implement) spent on the various record sharing rules is totally bonkers.

In summary and keeping it simple for patients, I feel that if people want to use NHS commissioned services and treatment they by default sign an agreement that they understand that their data will be shared across the NHS services and departments.

With the number of new providers due to come on board it’s virtually impossible to sustain all these sharing rules accurately anyway. This madness and total was of money and needs to stop!

And going for private care with Bupa: -

Confidentiality: The confidentiality of patient and member information is of paramount concern to the companies in the BUPA group. To this end, BUPA fully complies with Data Protection Legislation and Medical Confidentiality Guidelines. BUPA sometimes uses third parties to process data on its behalf. Such processing, which may be outside of the European Economic Area, is subject to contractual restrictions with regard to confidentiality and security in addition to the obligations imposed by the Data Protection Act.

Medical Information: Medical information will be kept confidential. It will only be disclosed to those involved with your treatment or care,

including your GP, or to their agents, and, if applicable, to any person or organisation who may be responsible for meeting your treatment expenses, or their agents.

The BMA, RCGP and GPES advisory team also have a legal responsibility under the DPA (below) to contractually stipulate how the GP extracted data will be used. I have appended my suggestions too:

SCHEDULE 1 THE DATA PROTECTION PRINCIPLES

PART I THE PRINCIPLES

7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Note particularly 11 in the following

The seventh principle

9 Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to—

(a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and

(b) the nature of the data to be protected.

10 The data controller must take reasonable steps to ensure the reliability of any employees of his who have access to the personal data.

11 Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle—

(a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and

(b) take reasonable steps to ensure compliance with those measures.

12 Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless—

(a) the processing is carried out under a contract—

(i) which is made or evidenced in writing, and

(ii) under which the data processor is to act only on instructions from the data controller, and

(b) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.

Here are my suggestions from the ICO conference attended by a number of European regulators in March 2012

• I think data controllers (GPs in our particular case) should no longer be able to refuse online access to data subjects to all of their real time digital data if the technology can allow this access. (there is no section in our current DPA that deals with immediate access to digital data)

• I believe that data subjects should have the option of being part of a dynamic and ongoing process of deciding which pats of their data are sensitive.

• I believe that patient sensitive data (as defined by the patients as they view their data as it is being created with real time access to data that current technology allows– or later as they view it through their access rights) should be digitally coded and recorded at source as processing takes place.

• I believe that data subjects should have an opportunity to be involved in the decisions that are made about the retention and destruction of their data. We believe that one option would be a statutory requirement for data controllers to approach data subjects say 6 months before they destroy the data to see if the data subjects would like to have the data retained or to have it processed at their own expense elsewhere. (Some patients wish their medical records to be detained for their families after their death. They already pass on their records to family members when they have been given them in a hard or digital format.

• I believe that the EU law should include a requirement for states to include privacy educational in their national educational curricula.

• Digital audit trails of access to personal data should be made available to the data subjects

• Data controllers should be under statutory obligation to publish on their public facing websites the information sharing contracts that they have made with other data controllers for the processing of sensitive personal data.

• Data controllers should be statutorily required to publish the details of data and parties involved in the information flows of sensitive data.

• Data controllers should be obliged to publish the details of bulk transfers of personal data that they make from one data controller to another and to automatically log which data controllers have accessed a data subject’s data. (An audit trail again.)

Richard - well done - you appear to have broken the EHI comments system (at least the formatting) as well as put everyone off reading this thread. Copying in large chunks of the DPA98 is not at all helpful - try just putting in a reference; similarly a reference to your presentation last year would be better than reproducing it in full here.

In any event you are quoting the wrong bits of the DPA98 - it is not your responsibility to ensure that the HSCIc is processing the data securely or appropriately if you are required by law to provide it - you cease to be the data controller once the data is provided.

However, I would agree that you have a moral obligation to raise any concerns that you might have over the levels of protection afforded in care.data - but I haven't noticed any of that in the long posts that you put up.

Add your comment...The DPA has always made it clear that data subjects - citizens and patients of England in this context - should be informed of the ways in which their processing will be done. This should have taken place with the NPFIT programme but did not and is one of the reasons perhaps that the program failed.

Principle 1 (not a bad place to start a large NHS data and IT project) states as below and we still need to interest and educate and engage the public with their own data and its primary and secondary uses. (Think about it - why aren't the public interested in seeing their own health, prognostic, diagnostic and results data? It infuriates me as a GP that the patients don't seem to care about being actors in their own health and ill health - just passive puddings!)

PART II INTERPRETATION OF THE PRINCIPLES IN PART I

The first principle

1 (1) In determining for the purposes of the first principle whether personal data are processed fairly, regard is to be had to the method by which they are obtained, including in particular whether any person from whom they are obtained is deceived or misled as to the purpose or purposes for which they are to be processed.

(2) Subject to paragraph 2, for the purposes of the first principle data are to be treated as obtained fairly if they consist of information obtained from a person who—

(a) is authorised by or under any enactment to supply it, or

(b) is required to supply it by or under any enactment or by any convention or other instrument imposing an international obligation on the United Kingdom.

2 (1) Subject to paragraph 3, for the purposes of the first principle personal data are not to be treated as processed fairly unless—

(a) in the case of data obtained from the data subject, the data controller ensures so far as practicable that the data subject has, is provided with, or has made readily available to him, the information specified in sub-paragraph (3), and

(b) in any other case, the data controller ensures so far as practicable that, before the relevant time or as soon as practicable after that time, the data subject has, is provided with, or has made readily available to him, the information specified in sub-paragraph (3).

(2) In sub-paragraph (1)(b) “the relevant time” means—

(a) the time when the data controller first processes the data, or

(b) in a case where at that time disclosure to a third party within a reasonable period is envisaged—

(i) if the data are in fact disclosed to such a person within that period, the time when the data are first disclosed,

(ii) if within that period the data controller becomes, or ought to become, aware that the data are unlikely to be disclosed to such a person within that period, the time when the data controller does become, or ought to become, so aware, or

(iii) in any other case, the end of that period.

(3) The information referred to in sub-paragraph (1) is as follows, namely—

(a) the identity of the data controller,

(b) if he has nominated a representative for the purposes of this Act, the identity of that representative,

(c) the purpose or purposes for which the data are intended to be processed, and

(d) any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair.

3 (1) Paragraph 2(1)(b) does not apply where either of the primary conditions in sub-paragraph (2), together with such further conditions as may be prescribed by the Secretary of State by order, are met.

(2) The primary conditions referred to in sub-paragraph (1) are—

(a) that the provision of that information would involve a disproportionate effort, or

(b) that the recording of the information to be contained in the data by, or the disclosure of the data by, the data controller is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.

4 (1) Personal data which contain a general identifier falling within a description prescribed by the Secretary of State by order are not to be treated as processed fairly and lawfully unless they are processed in compliance with any conditions so prescribed in relation to general identifiers of that description.

(2) In sub-paragraph (1) “a general identifier” means any identifier (such as, for example, a number or code used for identification purposes) which—

(a) relates to an individual, and

(b) forms part of a set of similar identifiers which is of general application.

GPs will not be damned if they do, but may be damned if they don't provide care.data.

It's important to understand the legal basis for the collection of data (which will be through GPES). The Health and Social Care Act empowers NHS England to direct the HSCIC to require practices (and others) to supply information, including confidential information like that in care.data without relying on patient consent. That is the law passed by Parliament, rightly or wrongly. Potentially, such a collection of confidential information might be challenged under the Human Rights Act Article 8 right to a private and family life, although that is a qualified right and allows public authorites to interfere with this right where the law allows and where necessary e.g. to protect health. To address this respect for privacy under Article 8, NHS England is providing the opt out, and taking steps to inform people. But informed patient consent is not the legal basis for the data collection.

Given this, given the recent consultation with the ICO, and given the guidance a few years back from the GMC which explained that individual practices were not liable for decisions made by national bodies like NPfIT (I paraphrase), I do not believe that practices are at risk from the release of data under care.data.

As a patient, I want my data to be in the control of the NHS, not a contractor to the NHS (GP) and accept a fair use is anonymous use for research. I DO NOT accept that use of use the NHS number is a pseudonymous process as it is used by those caring for me. A leaflet drop is not adequate as there are so many patients with literacy or language issues. SCR and care.data need to be communicated simultaneously by a range of media, however if designed appropriately there should be no issues with use of the data.

We do not ask a bank or online retailer to provide us a service without using our data, clearly the NHS cannot function without using the data.

Not happy for GPs and others to profit from this data use though, QOF should be abolished and fines for any service failing to deliver adequate care whether primary or acute care, and this should be against the CEO or practice management, whoever is ultimately responsible for decision making rather than against the organisation which ultimately means patient services suffer rather than the people making the decisions.

I too am a patient. My agreement is with my GP, not "the NHS". I agree to be open with my GP, in exchange for him helping me to get better. Nowhere did I sign up for information (my medical records) to go further afield, except when clinically necessary. And Care.Data is not clinically necessary for anything, except for sale in non-anonymised form.

Though my GP is practising in the Home Counties, I now gather that my medical records are in Pudsey (EMIS). The GP might trust the contractor, I wasn't even given the opportunity to examine or object. Given what Edward Snowden has released, that must mean that GCHQ already has a copy, now in the queue awaiting decryption.

As hospital records seem already to be on the HSCIC database, I wonder if GCHQ/Police already has a back door into it, in just the same way as they do into bank systems, air-line booking systems, the London congestion charge systems and a multiplicity of others?

It has got to the point where I object to the State Monopoly health provider flexing its muscle. As I watch the NHS act like a playground bully stealing information about me, I begin to see why (some of) the Yanks are so uptight about ObamaCare.

I know I will die younger than my parents, for I will no longer seek NHS treatment.

Unless you are going to wait until something goes wrong, the only way to judge adequate care is to extract data to judge the standard of care. The debate is how to minimise the risk of data being passed on that a patient does not wish disclosed.

QOF is far from ideal, speaking as a doctor, but the extraction system uses data processing at the practice with the results being transmitted onward to the centre. This overcomes the patient confidentiality problem in that the NHS knows how many of my diabetics have had their feet checked but not whether any individual has had the check.

I am not sure whether you are suggesting that QOF is payment for providing data. It is actually payment for hitting quality standards with the payment supported by the aggregated data supplied by the practice. Whether this approach is right or wrong, it is what the previous government wanted and opting out can drop practice funding to a point where it is not viable.

Finally, the 'target the CEO or practice management'. It is still the case that most practices are partnerships, ie owned and managed by the doctors who work in them (supported by practice managers). As a result it is not possible to separate out the 'management' from the clinical 'staff. Act against one and the other is also affected. This is not an argument to let the guilty go unpunished but it shows how difficult it is to separate punishing the person and punishing the business (and patients) in general practice

SCR was a letter to each individual 16yrs or older, and even then researchers from UCL found that seven in ten people in the three early adopter areas were unaware of the Summary Care Record (SCR). If 70% w unaware following a personal letter, what hope junk-mail?

care.data is NOT about patient care.

Medical staff treating you in GP surgeries, hospitals, A&E, pharmacies and out-of-hours centres will not use, or be able to use, this database.

It is purely for "secondary purposes".

It is disingenuous to talk about care.data and then state that "Having the right information about patients means professionals can make sure they get the right care and treatment" or "sharing means people don't have to repeat themselves constantly to each doctor, nurse, physiotherapist or care assistant they need to deal with" (to quote Mr Hunt).

I have had an interesting patient query today at The Big Opt Out. A patient sees a Consultant for a chronic disease and pays for own medication. The patient is fumming that the NHS is using his details from his private treatment annoymously for QOF and now care.data. Patient has now told his Consultant he must cease communicating with his NHS GP. Patient is going to unregister and find a private GP.

This raises an interesting question I assume H&SC Act does not cover the extraction of data which is generated from private care?

I shall be asking the ICO for guidance. It places GP's and Consultants in an unenviable position if they have not sought explicit patient, as they have not done in the case of this patient.

It will be interesting to see the content of the letters: only commissioning and cancer research are mentioned in the News release on the NHS England website: will the letters include David Cameron's inclusion of Pharma?

Thinking back, there was a lot of criticism of the patient information campaign (where IIRC patients had 12 weeks to register an opt-out decision and which was supposed to include other publicity - local media, notices in libraries, pharmacies etc) as being inadequate and failing to reach especially deprived groups and people whose first language was not English.

"There will also be a “social media campaign”, although what this will involve was not made clear."

When SCR came up, the first people to demand opt-out in my practice were the Travellers - who were illiterate: how will a social media campaign spread information to the majority of the population who *don't* spend all their lives tweeting?

Have the standards for what does constitute adequately informing patients fallen/changed since SCR?

Presumably this leaflet will be noticed by 7% o the recipients just like the SCR mailing (UCL study), and the burden of explanation will still fall on practices. Is the Information Commissioner really satisfied that this junk mailing is consistent with fully informed consent for upload of identifiable clinical data which will be subject to secondary uses well outside direct patient care? Cameron has already been spouting about selling this info to Pharma for profit. I'm astounded that there has been so little noise about this proposed gross intrusion of privacy by the human rights organisations and the libertarian wing of the Tories.